Got a weak password? Beware of Mr. Morto.

By Chris Paoli

Aug 31, 2011

Users of Microsoft's Remote Desktop Protocol might want to make sure they have strong passowrd in place. The company is warning of a new worm that attempts to use RDP connections, which give users a look into another PC, to try to guess simple login and password information of users.

Nicknamed "Morto," the worm is uploaded to a PC when a user uploads a Windows DLL file. It then goes to work, looking for unsophisticated passwords and login credentials by trying a list of the thirty most often used passwords (for example, password, admin, 1111, etc.).

A number of recent studies, along with password files exposed by hackers, have shown that weak password combinations are all too common.

"Once a new system is compromised, [Morto] connects to a remote server in order to download additional information and update its components," wrote Microsoft's Hil Gradascevic in a TechNet blog. "It also terminates processes for locally running security applications in order to ensure its activity continues uninterrupted."

Security firm F-Secure, which was responsible for alerting Microsoft to the new threat, speculated that the worm's main functionality is to carry out a denial-of-service attack against specified targets. The company also pointed out that the worm could be difficult to locate. "As it is the malicious DLL that gets loaded, the regedit command does not show any graphic user interface (GUI) as it normally does," F-Secure said in a threat bulletin. "It decrypts and loads the encrypted payload saved at HKLM\System\Wpa\md registry value. This is when the payload takes control."

While Microsoft has labeled the alert level of this possible intrusion as "severe," as of Saturday, only a few thousand PCs had been infected by Morto, with 74 percent of recorded infections occurring on Windows XP machines.

The company is recommending users make sure that they use unique passwords that feature both numbers, letters and symbols -- the worm only has a limited amount of simple passwords it scans for.

inside gcn

Reader Comments

Fri, Sep 9, 2011
Mike Moxcey

'weak' passwords is a fake problem. The only way it works is because of poor system administration, not because of bad users.
Lockout after 3 tries and a message to the sysadmin removes most of the 'problems' associated with so-called weak passwords.
Yes, '111111' and 'p@ssw0rd' are very weak but 121212 and Paswword aren't that weak and will not be guessed in the first 3 guesses.

Wed, Sep 7, 2011

Why can't we just LOCK DOWN all ports except the ones we really need, on a case by case bases. TCPIP for Web (8080) and email (smtp port) is really all anyone really needs. Then a nice TCPIP/Web virus protection program. Even have PC manufactures Hard Code port access, making it impossible for any software to change port status. (Almost like external HUB port controls). It's getting NUTS with this cyber stuff, and I'm sure it will get worse.

Thu, Sep 1, 2011
Glenn

This is the reason that it is essential for Data Security Policies to have strong password policies -- no repeating characters, mixture of upper and lower case letters, use of numbers and even special characters if desired. I had confronted some users that whined about how difficult password management can be, but this article clearly emphasizes the need and benefit of enforcing a strong password policy.

Please post your comments here. Comments are moderated, so they may not appear immediately
after submitting. We will not post comments that we consider abusive or off-topic.